How to tell if you've been hit by fake ransomware

Fahmida Y. Rashid |
May 2, 2016

Ransomware is no joke, but sometimes, amateur attackers use 'pretend' ransomware -- and you can get your data back easily.

Ransomware tends to change the filename as part of the encryption process. Locky adds a .lock file extension to all documents, while CryptXXX uses the .crypt file extension. Look through the files and see which files have been modified. See if you can still open them or if you can change the file extensions back and open the files. Sometimes, the file extensions have been changed without actually encrypting the files.

Get back into the system using a Linux Live CD and search the system to see if the actual files have been moved or renamed. Most modern operating systems can search the contents of the file along with filenames.

Don’t get your hopes too high

While it’s good to be skeptical, if you see a ransom demand, it's probably legitimate. Thanks to crimeware kits preloaded with ransomware and ransomware as a service, the barrier to entry is much lower. Script kiddies and other less technically inclined criminals are trying to piggyback on the success of real ransomware gangs without putting in the work.

Ransomware infections are a serious threat and fake attacks are relatively rare. But before you start the process of rebuilding your machine to recover from a ransomware infection, make sure you aren’t being scammed. It takes only a few minutes.